Techniques for secure debugging and monitoring

ABSTRACT

Techniques for secure debugging and monitoring are presented. An end user requests a secure token for logging information with a remote service. A secure monitoring and debugging token service provides the secure token. The remote service validates the secure token and configures itself for capturing information and reporting the captured information based on the secure token.

BACKGROUND

Enterprises may rely on end-users or developers to assist in trackingand resolving issues with services provided by the enterprises. However,this may create a problem when detailed information is displayed to theend user. In fact, it is common for hackers to use debug information tobreak the security of a system. Thus, by providing this type of controlto the end-users, the enterprises may expose their systems to securityrisks.

From a business perspective, there may be periods of time where anincreased level of tracking is required as result of: a businessconcern, troubleshooting a system issue, behavior pattern deviances,and/or other potential security risks. There are several problemscreated when web services need to provide more debug and monitoringinformation. If an administrator turns on advanced debugging ormonitoring for the system, then too much data may be generated, whichcan cause the enterprise service to appear unresponsive or broken.Additionally, the amount of information generated may result in storageproblems; or create a security vulnerability by exposing sensitiveinformation.

So, an administrator may want to vary end-user monitoring based on thesecurity risk of individuals or the administrator may want to allow endusers to influence how much debugging or monitoring is done on theiraccounts. This is typically achieved by placing a cookie on the browserthat turns on “debug” or “monitoring” to a specific level. The cookiecan be set automatically, or set by the end user that selects an optionto enable debugging. The problem is that there is often no security onthe cookie set. Basically, any user can set any cookie on any browseronce he/she has seen the cookie, which means a hacker can set the samecookie thereby enabling debug, which may disclose information about thesystem that can be used to break in that system (creating a securityhole). It is also well known that the set of values of a cookie used forenabling debugging capabilities is commonly posted on hacker web sites.

Another common problem with uncontrolled or unsecure debugging andmonitoring is that the browser view, which is viewed by an end usercomes from many web services; some of which may not be owned or operatedby the end user's company. A simple cookie that is used to enableadvanced debug information does not have enough data or security for anexternal web service to trust the request and send advanced debug ormonitoring data.

SUMMARY

Various embodiments of the invention provide techniques for securedebugging and monitoring. In an embodiment, a method for securedebugging is presented.

Specifically, selections for logging information with a remote serviceare received. Next, a policy is evaluated to determine whether theselections are permissible. Finally, a secure token is generated thatidentifies a principal, the remote service, and the selections permittedby the policy.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1C are diagrams depicting example techniques for securedebugging, according to example embodiments presented herein.

FIG. 2 is a diagram of a method for secure logging, according to anexample embodiment presented herein.

FIG. 3 is a diagram of another method for secure logging, according toan example embodiment.

FIG. 4 is a diagram of a secure logging system, according to anembodiment.

DETAILED DESCRIPTION,

A “resource” includes a user, service, system, device, directory, datastore, groups of users, combinations and/or collections of these things,etc. A “principal” is a specific type of resource, such as an automatedservice or user that at one time or another is an actor on anotherprincipal or another type of resource. A designation as to what is aresource and what is a principal can change depending upon the contextof any given network transaction. Thus, if one resource attempts toaccess another resource, the actor of the transaction may be viewed as aprincipal. Resources can acquire and be associated with uniqueidentities to identify unique resources during network transactions.

An “identity” is something that is formulated from one or moreidentifiers and secrets that provide a statement of roles and/orpermissions that the identity has in relation to resources. An“identifier” is information, which may be private and permits anidentity to be formed, and some portions of an identifier may be publicinformation, such as a user identifier, name, etc. Some examples ofidentifiers include social security number (SSN), user identifier andpassword pair, account number, retina scan, fingerprint, face scan, etc.

A “processing environment” defines a set of cooperating computingresources, such as machines (processor and memory-enabled devices),storage, software libraries, software systems, etc. that form a logicalcomputing infrastructure. A “logical computing infrastructure” meansthat computing resources can be geographically distributed across anetwork, such as the Internet. So, one computing resource at networksite X and be logically combined with another computing resource atnetwork site Y to form a logical processing environment.

The phrases “processing environment,” “cloud processing environment,”and the term “cloud” may be used interchangeably and synonymouslyherein.

Moreover, it is noted that a “cloud” refers to a logical and/or physicalprocessing environment as discussed above.

Various embodiments of this invention can be implemented in existingnetwork architectures.

Also, the techniques presented herein are implemented in machines, suchas processor or processor-enabled devices (hardware processors). Thesemachines are configured and programmed to specifically perform theprocessing of the methods and systems presented herein. Moreover, themethods and systems are implemented and reside within a non-transitorycomputer-readable storage media or machine-readable storage medium andare processed on the machines configured to perform the methods.

Of course, the embodiments of the invention can be implemented in avariety of architectural platforms, devices, operating and serversystems, and/or applications. Any particular architectural layout orimplementation presented herein is provided for purposes of illustrationand comprehension only and is not intended to limit aspects of theinvention.

It is within this context that embodiments of the invention are nowdiscussed within the context of the FIGS. 1-4.

FIGS. 1A-1C are diagrams depicting example techniques for securedebugging, according to example embodiments presented herein. Thetechnique include a variety of components that is implemented,programmed, and resides within memory and/or a non-transitorymachine-readable storage medium that executes on one or more processorsof a network. The network may be wired, wireless, or a combination ofwired and wireless.

It is noted that the components and interactions of the FIGS. 1A-1C arepresented for purposes of illustration and that other arrangementsincluding more or less components are possible without departing fromthe teachings provided herein.

A tenet of the embodiments presented herein with respect to providingdebugging and monitoring security is to provide just enough debug ormonitoring data, to those that have a need and also have the rights tosee and use the data. Information generation can be done automaticallyby policy; selected by the end user that is controlled by policy; and/orcontrolled by the administrator.

The techniques herein solve the problem described above by using a“Secure Monitoring and Debug Token Service” (SMDTS and as shown in theFIGS. 1A-1B). Tokens made by the SMDTS (or other entities as discussedbelow) are open standard federation tokens (in some embodiments) havinginformation that controls what level of debugging and monitoringinformation is produced, and where to send the information. These tokenscan be signed by: the SMDTS, and/or a trusted authority and, the tokensmay define identity, roles and other needed data. The tokens may bestored as the value of a cookie on the browser, included in headers,and/or other means. The token may also be limited to the scope of asingle browser session, a single user, and/or a web service and, thetoken may have a limited time to live. Because the tokens are signed,optionally encrypted and have controlled limited use, reuse and spoofingis controlled. It is noted that the SMDTS does not do any logging ormonitoring; the service just provides an enabling token to web servicesthat actually do the logging or data production.

The FIGS. 1A-1C depict some data flows showing how various embodimentsof the invention are to work. This is presented for purposes ofillustration and comprehension and is not intended to specifically limitother embodiments derived from the teachings presented herein and below.

The FIG. 1A shows how processing begins with an end user that isconnected to a company web service and the SMDTS. The end user (workingon a client device) using a browser (or other enterprise network clientservice, such as an app) obtains a token from the SMDTS. This can beachieved in a variety of ways.

For example, the user can go directly to the SMDTS, via A, and selectsparticular options for receiving a token for debugging and/or monitoringwith respect to the Company Web Service.

It is noted that although the FIGS. 1A-1C are discussed from theperspective of a web browser and a web service, this does not have toalways be the case, as the end user can have a mobile client device,such as a phone or tablet, which uses an app to interact with a remoteservice provided to that app (the remote service being the Company WebService).

In another case, the user, using the client service, interacts directlywith the Company Web Service and then is redirected, via B through A, tothe SMDTS with a request for a token.

In still another embodiment, the user, using the client service,interacts directly with the Company Web Service and the Company WebService sends a request for the token (via C) on behalf of the user tothe SMDTS. The token returned by the SMDTS is then sent back to theuser, via the client service, using B.

At this point, the user, via the client service, is in possession of oris associated with a secure token.

The FIG. 1B shows how the token is validated and used to configure theCompany Web Service for debugging and/or monitoring.

Specifically, the token is sent by the client service of the user (suchas via a browser or mobile app) to the Company Web Service via B. Thetoken is then used to determine what debugging/logging (monitoring data)to send, via D, to a remote Corporate Audit Service (or third partyservice) and/or to the client service via B on the client device of theend user. The information (debugging or monitoring) can then be writtento an audit system and/or may be output to the end user's console viaheaders or display. A few examples of this can be achieved is asfollows:

The Company Web Service (CWS) inspects and evaluates the token,validates the token, and enables an appropriate level ofdebugging/logging. In an embodiment, the token type is a SecurityAssertion Markup Language (SAML) token.

In another case, the Company Web Service sends the token to the SMDTS,via C. The SMDTS validates the token and returns to the CWS thedebugging/logging levels. Secure Socket Layer (SSL) communication may beused to ensure security and validate the identity of the SMDTS. Again,example token types can include SAML and OAuth (Open standard forAuthorization).

The FIG. 1C shows an alternative arrangement (to the FIG. 1C) that usesone more additional external services for identifying thedebugging/logging levels for the end user.

The FIG. 1C shows an embodiment where the Company Web Service uses thetoken to interact with another External Web Service, via F. The ExternalWeb Service can use the token to determine the debugging/logging levelto use for the end user in the following manners.

The External Web Service understands the token and validates the token.Once this is done, the External Web Service enables thedebugging/logging levels for the end user. Again, the token type can bea SAML token.

In another situation, the External Web Service sends the token, via G,to the SMDTS. The SMDTS validates the token and returns thedebugging/logging levels. SSL may be used for secure communications andto validate an identity for the SMDTS. Again, the token types caninclude SAML and OAuth.

The FIGS. 1A-1C shows how logging (monitoring) and debugging can besecured by preventing unauthorized access. This can be achieved via openstandard federation tokens. Moreover, the techniques allow forlogging/debugging information to be passed to third party web service(s)while maintaining a secure and trusted relationship. It does not requirethe calling application to setup this trust but uses another trustrelationship that both parties agree on.

Still further, the techniques herein provide identity and policy todetermine the logging/debug levels allowed by a user. This allows policyto control how and by whom debugging/logging information is controlled.

The techniques also allow for disparate party applications (cooperatingweb services in a variety of deployment locations) to have a singledebugging and logging policy.

Further, the techniques allow a third party to control debugging andlogging information.

As will be demonstrated more completely herein, the techniques allow forthe selective control of debugging/logging information content. (Forexample, information may be selected or excluded by a specific type ofrequest, a request from a specific device or service as indicated by thedevice address or service identifying information, a time basedconstraint or other constraining criteria uniquely identifying theinformation, device or service involved.)

Still further, the techniques herein reduce the volume of informationamassed in logging/auditing storage. The techniques also allow fordynamic change of logging/debugging policies within a communicationsession.

FIG. 2 is a diagram of a method 200 for secure logging, according to anexample embodiment presented herein. The method 200 (herein afterreferred to as “SMDTS”) is implemented, programmed, and resides withinmemory and/or a non-transitory machine-readable storage medium thatexecutes on one or more processors of a device and is operational over anetwork. The network may be wired, wireless, or a combination of wiredand wireless.

At 210, the SMDTS receives selections for logging information with aremote service.

It is noted that as used herein the phrases “remote service,” “remotenetwork logging service,” and “logging service” may be usedinterchangeably and synonymously. These entities provide any type ofremote service to the user, such as a web service or a mobile device appservice. In addition, a portion of the entities provides debugging ormonitoring via logging information. How logging is initiated, what iscaptured during the logging, and where the resulting captured logginginformation is sent for evaluation are discussed herein.

According to an embodiment, at 211, the SMDTS receives the selectionsdirectly from a principal. Again, it is noted that a principal can be anend user or an automated service. In this embodiment, the SMDTS providesan interface for the principal (can be Application Programming Interface(API) when the principal is an automated service) to make theselections. The selections identify what types of logging information iscaptured, the frequency of capturing the logging information,instructions as to where to send the captured logging information, andthe like.

Alternatively, at 212, the SMDTS receives the selections from the remoteservice on behalf of the principal who is interacting or who will beinteracting at some point with the remote service. Here, the remoteservice provides an interface or API for the principal to make theselections. However, in some cases, an administrator makes theselections for the principal and it may actually be that the principalis completely unaware of the selections and the soon-to-be securelogging. This latter situation may be useful for auditing a principalfor compliance or if the principal is suspected of unscrupulous activityon the remote service. In still another case, under 212, it may be thatpolicy on the remote service defines or makes the selections on behalfof the principal and the remote service then provides the selections tothe SMDTS.

At 220, the SMDTS evaluates a policy to determine whether the selectionsare permissible. What conditions are defined in the policy and how thepolicy is initially selected or obtained can be configured situations.

For example, at 221, the SMDTS uses an identity for the principal and anidentity for the remote service to select the policy from a library ofavailable policies. It may be that attributes and/or settings are usedby the SMDTS to modify a template to create the policy dynamically basedon the identities as well. So, the policy can be predefined ordynamically configured based on identity-based limitations.

In an embodiment, at 222, the SMDTS uses the policy to define in or withthe secure token where the logged information that is defined by theselections is to be sent. That is, the secure token can be used todefine where captured logged information is sent based on the policyconditions.

Continuing with the embodiment of 222 and at 223, the SMDTS defines anauditing service as one recipient of the logged information and theprincipal as another recipient of the logged information. It is notedthat in some cases, the principal may receive the logged information viaa principal or client-based service executing on a mobile client deviceof the principal. This can be an app on a mobile device of theprincipal.

At 230, the SMDTS generates a secure token that identifies theprincipal, the remote service, and the selections. The secure token canbe encrypted or can be mapped by just the SMDTS to specific logginglevels for the selections (as permitted by policy).

According to an embodiment, at 240, the SMDTS digitally signs the securetoken.

Continuing with the embodiment of 240 and at 250, the SMDTS sends thesigned secure token to the principal. At this point, the principal has asecure encrypted and signed token that needs to be possessed by theprincipal to be useful; so the likelihood of nefarious activity by aneavesdropper is substantially reduced; thereby providing increasessecurity for debugging and monitoring.

Still continuing with the embodiment of 240 and at 260, the SMDTS sendsthe signed secure token directly to the remote service on behalf of theprincipal. This is a situation where the remote service requests thesecure token on behalf of the principal and was discussed above with thediscussion of the FIGS. 1A-1C.

In an embodiment, at 270, the SMDTS receives the secure token over asecure communication channel, such as SSL. In some cases, the securetoken can also be delivered over a non-secure channel. Next, the SMDTSvalidates the token (authentication can also occur with respect to thesender and purported principal of the secure token). Finally, the SMDTSreturns a logging level defined by the selections to the remote service.So, the mapping of the logging level to the secure token can be entirelycontrolled by the SMDTS and provided on demand to the remote servicethat then configures itself for capturing the logging information duringinteractions with the principal.

Processing from the perspective of the remote service is now presentedwith the discussion of the FIG. 3.

FIG. 3 is a diagram of another method 300 for secure logging, accordingto an example embodiment. The method 300 (herein after referred to as“remote network logging service”) is implemented, programmed, andresides within memory and/or a non-transitory machine-readable storagemedium that executes on one or more processors of a server and isoperational over a network. The network may be wired, wireless, or acombination of wired and wireless.

The remote network logging service is presented from the perspective ofa network service that provides secure logging, such as, but not limitedto the Company Web Service presented above with respect to the FIGS.1A-1C. The remote network logging service interacts with the SMDTS(presented in the FIGS. 1A-1C and 2 above).

At 310, the remote network logging service receives a secure token thatdefines a logging level to configure for interactions with a principal.Again, the principal can be an end user or can be an automated service.The interactions can occur via a browser or via a mobile app with theprincipal. The “logging level” defines the types of logging informationto capture, the frequency of capturing the types of logging informationor events for which the types of logging information are to be captured,and/or where and when to send the captured logging information.

According to an embodiment, at 311, the remote network logging serviceacquires the secure token from the principal. Here, the principal may beauthenticated via the secure token as well. Moreover, it may be that thesecure token is signed by the principal (in addition to havingsignatures of other entities such as the SMDTS).

In another case, at 312, the remote network logging service interactswith a SMDTS (see above discussion with respect to the FIGS. 1A, 1B, 1C,and 2) to acquire the secure token on behalf of the principal. Here, asignature of the secure token for the SMDTS may be validated as well andthe SMDTS may be received over a secure channel (SSL, Virtual PrivateNetwork (VPN), and the like).

At 320, the remote network logging service validates the secure tokenover a secure communication channel. Here, the remote network loggingservice uses a service, such as (but not necessarily required see theprocessing of 321) the SMDTS (see 322 below) to validate the securetoken on behalf of the remote network logging service.

In an embodiment, at 321, the remote network logging service interactswith a remote service to validate the secure token. This remote servicethen interacts with a SMDTS to perform the validation of the securetoken (see the FIG. 1C above and its corresponding discussion).

In another case, at 322, the remote network logging service interactswith the SMDTS to perform the validation of the secure token (see theFIG. 1B above and its discussion).

At 330, the remote network logging service configures the logging levelwithin the remote network logging service or other services related toor within the control of the remote network logging service. At thispoint, the remote network logging service is ready to interact with theprincipal and capture information defined by the logging level.

Thus, according to an embodiment, at 340, the remote network loggingservice captures the logging information corresponding with the logginglevel during interactions with the principal.

Continuing with the embodiment of 340 and at 341, the remote networklogging service sends the logging information to the device of theprincipal and to an auditing service (which may or may not be part ofthe remote network logging service). The captured logging informationmay itself be encrypted before being sent to the principal. Moreover, asecure communication channel can be used to send either the encrypted orunencrypted logging information. Still further, the remote networklogging service may send the principal a temporary id and password touse to log onto a temporary secure site to acquire the logginginformation (the principal may be required to sign on and acquire thelogging information with a predefined time or with a time range).

FIG. 4 is a diagram of a secure logging system 400, according to anembodiment. The components of the secure logging system 400 areimplemented as executable instructions that reside within memory and/ornon-transitory computer-readable storage media and those instructionsare executed by one or more devices. The components and the devices areoperational over a network and the network can be wired, wireless, or acombination of wired and wireless.

According to an embodiment, the secure logging system 400 implements,inter alia, the features of the FIGS. 1A-1C and 2-3.

The secure logging system 400 includes a SMDTS 401 and a remote networklogging service 402. Each of these and their interactions with oneanother will not be discussed in turn.

The secure logging system 400 includes a first device having memoryconfigured with SMDTS 401. Example processing associated with the SMDTS401 was presented above in detail with reference to the FIGS. 1A-1C and2.

The SMDTS 401 is configured to generate a secure token based on a policyevaluation that defines a logging level for the remote logging service402 to use when interacting with a principal and wherein the SMDTS 401is configured to validate the secure token for the logging service 402.

According to an embodiment, the SMDTS 401 is further configured to signthe secure token.

The secure logging system 400 includes a second device having memoryconfigured with remote network logging service 402. Example processingassociated with the remote network logging service 402 was presentedabove in detail with reference to the FIGS. 1A-1C and 3.

The remote network logging service 402 is configured to capture loggingdata in accordance with the logging level and report the logging data toan auditing service.

The above description is illustrative, and not restrictive. Many otherembodiments will be apparent to those of skill in the art upon reviewingthe above description. The scope of embodiments should therefore bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

1. A method implemented in a non-transitory machine-readable storagemedium and processed by a device configured to perform the method,comprising: receiving, by a Secure Monitoring and Debug Token Service(SMDTS) executing on the device, selections for logging information witha remote service, the selections identifying what monitoring informationthat is to be produced and the selections made by a principal;evaluating, by the SMDTS, a policy to determine whether the selectionsare permissible; and generating, by the SMDTS, a secure token thatidentifies the principal, the remote service, and the selectionspermitted by the policy.
 2. The method of claim 1 further comprising,signing, by the SMDTS, the secure token.
 3. The method of claim 2further comprising, sending, by the SMDTS, the signed secure token tothe principal.
 4. The method of claim 3 further comprising, sending, bythe SMDTS, the signed secure token to the remote service.
 5. The methodof claim 1 further comprising: receiving, by the SMDTS, the secure tokenover a secure or non-secure communication channel from the remoteservice; validating, by the SMDTS, the secure token; and returning, bythe SMDTS, a logging level defined by the selections to the remoteservice.
 6. The method of claim 1 further comprising: receiving, by theSMDTS, the secure token over a secure communication channel from adifferent remote service in communication with the remote service;validating, by the SMDTS, the secure token; and returning, by the SMDTS,a logging level defined by the selections to the different remoteservice.
 7. The method of claim 1, wherein receiving further includesreceiving the selections directly from the principal.
 8. The method ofclaim 1, wherein receiving further includes receiving the selectionsfrom the remote service on behalf of the principal who is interactingwith the remote service.
 9. The method of claim 1, wherein evaluatingfurther includes using an identity for the principal and an identity forthe remote service to select the policy.
 10. The method of claim 1,wherein evaluating further includes using the policy to define in thesecure token where the logged information defined by the selections isto be sent.
 11. The method of claim 10, wherein using further includesdefining an auditing service as one recipient of the logged informationand the principal as another recipient of the logged information.
 12. Amethod implemented in a non-transitory machine-readable storage mediumand processed by a server configured to perform the method, comprising:receiving, by a remote network logging service executing on the server,a secure token that defines a logging level to configure forinteractions with a principal and defines what information to capturefor that logging level, the secure token produced by the principalmaking selections; validating, by the remote network logging service,the secure token over a secure communication channel; and configuring,by the remote network logging service, the logging level.
 13. The methodof claim 12 further comprising, capturing, by the remote network loggingservice logging information corresponding with the logging level duringthe interactions with the principal.
 14. The method of claim 13 furthercomprising, sending the logging information to a device of the principaland to an auditing service.
 15. The method of claim 12, whereinreceiving further includes acquiring the secure token from theprincipal.
 16. The method of claim 12, wherein receiving furtherincludes interacting with a secure monitoring and debugging tokenservice to acquire the secure token on behalf of the principal.
 17. Themethod of claim 12, wherein validating further includes interacting witha remote service to validate the secure token, the remote serviceinteracting with a secure monitoring and debugging token service toperform the validation.
 18. The method of claim 12, wherein validatingfurther includes interacting with a secure monitoring and debuggingtoken service to perform the validation.
 19. A system, comprising: atarget device having memory configured with a secure monitoring anddebugging token service (SMDTS) processing on the target device; and aserver having memory configured with a logging service processing on theserver; wherein the SMDTS is configured to generate a secure token basedon a policy evaluation that defines a logging level for the loggingservice to use when interacting with a principal, the secure tokenproduced by selections of the principal and identify what information toproduce for the logging level, and wherein the SMDTS is configured tovalidate the secure token for the logging service, and the loggingservice is configured to capture logging data in accordance with thelogging level and report the logging data to an auditing service. 20.The system of claim 19, wherein the SMDTS is configured to sign thesecure token.